A non-vulnerability like this is a good example of how easy it is to get press for $important_company + security.
Top of hackernews at the moment and fingers crossed there wont be a wave of articles about this in the coming days from tech press who don't fully understand the issue but know clicks when they see them.
A non-vulnerability? I understand how you could call it non-serious if you don't work on user-oriented code or think all users have perfect periferic vision all the time. But how do you explain the purpose for the check that fails any non-google domain then?
Not only to GET press, but also to PRESS the company for $.
This is a huge problem I see with bugbounties. People running the bug bounties, who are not appsec security literate, are basically bullied in to thinking that something is a security risk when it is not quite often.
I deal with people trying to do this 10-15 times per week. I can totally see how people get pushed in to paying thousands for essentially worthless bugs.
(Wrote about this on reddit but I think it is pending approval, reposting here)
Hi - I work on the security team at Uber. I am this guy: techcrunch.com/2016/03/22/uber-launches-bug-bounty-program-that-pays-hackers-to-find-security-issues/
Yesterday we changed the language on our bug bounty page and I wanted to apologize for the confusion this caused. Since we launched our public bug bounty program on Tuesday, we have been reacting to the types of issues sent in and learning how to better define what we are looking for. This change was part of that, and not an effort to prevent anyone from earning bounties. The reason we clarified is so security researchers, whose time is valuable, wouldn't spend time on lower-risk issues like microsites that are unlikely to get a reward.
To Sean’s points about microsites, a microsite is usually a blog type site that rarely contains Uber user data and lives outside the Uber network. As such, even in cases where microsites are vulnerable, they pose a mild security risk to Uber which is why we clarified in our policy page to say that we do not reward them “except in extraordinary circumstances”. Sean also mentions that they are lower in severity: https://twitter.com/seanmeals/status/712975867236974592. Although the intent around microsites didn’t change, the language did. I apologize for this and we could have done better.
To the specific issue raised in your post, we have made it public: https://hackerone.com/reports/124975. As you mention, the payload does not fire so this is not a security concern.
A successful bug bounty rests on researchers trusting us to run it well, which we take very seriously. All the members of team running this program are part of the security community and many of us (mjb(1), jordan(2), rob(3)) actively submit to other bug bounty programs or perform security research as a hobby. We have awarded nearly a hundred issues via our pilot bug bounty program so far and we are excited to payout more in the future.
Our aim is to build a program by researchers, for researchers. I want to personally thank you for taking the time to submit your issue -- and any future issues. You can always see the scope and rules of our bug bounty program at https://hackerone.com/uber and you can feel free to mention my name in any reports to HackerOne to get my attention about an issue.
Maybe you know this, maybe you do not but these are all a nod to http://insecure.org/stf/smashstack.html which itself did not directly involve profit. It's a security thing.
I just feel bad for amazon people I meet, the 2 year cliff and high pressure oncall simply isn't a thing at the other tech companies. At least for me and ive worked at a few of them (plural of anicdote isn't data but still) Life seems strictly worse at amazon.
> high pressure oncall simply isn't a thing at the other tech companies. At least for me and ive worked at a few of them
I think you've been pretty lucky. I've never had a job in IT where there wasn't high pressure oncall.
But... I work in ops. I suppose that might be where the difference lies. I don't know anyone that works on the Ops site of IT that hasn't had to deal with on cal responsibilities.
His account seems much better than what I experienced. I still think he has swallowed too much koolaide-- and this is why Amazon focuses on the young kids they can make an impression on.
I've worked at Amazon and you are absolutely right. The implied "get it done" pressure, basically just socially awkward managers who have no self-value themselves, pushing the new people to work ridiculous hours. Not mentioning hours though, but basically getting unexperienced youth to waste away their lives at their jobs. It's sad.. it's definitely a mental and manipulative tactic. It's really cancerous because these exact kind of mentally defective people who spurry to get things done, usually last-licks from Microsoft, become managers. Then they apply that silly pressure to everyone under them, and elegance fades away. Literally horrible code, with little polymorphism, less elegant frameworks, etc. Just a side affect of "get it done." Anyhow, Amazon isn't rosy. It's a dumping ground, and yeah, the FLP process where people get culled is just a side affect of the value of work-life balance, human empathy there. I would never work at Amazon again.
I totally agree. I can see why he would blame a lot of this on himself, but I think it's a mistake. A good manager would have been keeping an eye on him, helping him set boundaries, reducing schedule pressure, etc. If this guy were the only one to have a problem at Amazon that would be one thing, but the sheer number of stories points to deep problems with culture and management.
I've actually setup a system where I download this zip file once every 3 months.
My main point is that the barrier to entry for making a new social network/reader etc is not one of innovation. Search for instance is hard to compete with because the bar has been set so high. Facebook is impossible to compete with because of its walls. I don't feel this page brings those walls down.
Facebook specifically prohibits this. If I'm not mistaken only the account holder can download the data, you need to enter your password and bypass captcha. Also the download link is sent to your email.
The prevailing argument against regulation is usually cost. "It would be expensive to implement this! MILLIONS OF DOLLARS!" and to the uninformed outsider this has a ring of truth to it. However any cost figure would be largely overstated as facebook and other big providers are already complying with European data laws. As such the fundamental architecture and implementation have already been done for a non-trivial segment of the internet population. All it would really take is rolling out that infrastructure to the US. Not to say it would be a completely painless process, but they already established a lot of knowhow.
>"Your declarative statements unencumbered by any research are fascinating"
Worked for a social gaming company, investigated this exact problem ("How many of our DAUs are multiple accounts?"). For our game, which had mechanics that encouraged player-to-player commerce, the number of these fake accounts was huge: around 40% on DAUs of ~150k. It was clear to me and my co-workers that this was a big issue, everywhere. But everyone in the space benefits from saying "1 BILLION USERS!" when you are selling ad reach. Except for those actually buying ads. Oops.
Moved on to different things, shorted ZNGA in April after the OMGPOP acquisition, having been privy to this scheme. Have made a decent return, covering at ~$5, but missed the last two big drops. I'm not particularly concerned what you choose to believe, because my view has worked out pretty well for me.
One wrinkle - Doesn't this poll ignores anyone under 18? Facebook lets you sign up only once you have turned 13. Internet users between the ages of 13 to 18 are unaccounted for.
